Another zero-day threat hits Windows

Sample code that exploits a yet-to-be-fixed Windows flaw is circulating. Microsoft plans to deal with it on the next Patch Tuesday.

Sample code is circulating on the Internet for an attack using a flaw that Microsoft knows about, but has not yet fixed.

On Thursday, Microsoft warned people about a vulnerability in the Windows Shell, the part of the operating system that presents the user interface. The flaw affects Windows 2000, Windows XP and Windows Server 2003 and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, the company said in an advisory.

"An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer," Microsoft said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user."

While sample exploit code has been published, Microsoft said it has not yet seen any related attacks. The vulnerability was actually discovered two months ago, but the code only surfaced this week, according to the French Security Incident Response Team.

Security monitoring company Secunia deems the issue "extremely critical," its most severe rating. Microsoft said it is working on a fix and plans to release it on Oct. 10 as part of its regular patch cycle. Meanwhile, it suggested several workarounds in its advisory to protect Windows systems.

On Friday, security company Determina provided a third-party fix for the flaw. It is the second time in as many weeks that an outsider has patched a flaw in a Microsoft product. Microsoft does not recommend using such third-party fixes, saying they could cause compatibility problems.

The Windows Shell bug is one of several flaws that are publicly known and for which exploit code is available, but which Microsoft has yet to patch. Cybercrooks are actively exploiting yet-to-be-fixed holes in PowerPoint, Word and IE, Microsoft has acknowledged.

Miscreants are taunting Microsoft with zero-day code, or attack code released immediately after a flaw or patch is made public, experts have said. Some security watchers have started to coin the term "zero-day Wednesday" to come after "Patch Tuesday," Microsoft's patch day on the second Tuesday of each month. Microsoft put its patches on a schedule to give IT managers time to plan and prepare.

Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks before its October scheduled release date. The update repairs a flaw in a Windows component called "vgx.dll" that was being exploited widely in cyberattacks, experts said.

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Details about Apple's 'spaceship' campus from the drone pilot who flies over it

MyithZ has one of the most popular aerial photography channels on YouTube. With the exception of revealing his identity, he is an open book as he shares with CNET's Brian Tong the drone hardware he uses to capture flyover shots of the construction of Apple's new campus, which looks remarkably like an alien craft.

by Brian Tong